Yahoo exposes details of secretive FBI data demands

Technology firm Yahoo has released the contents of three secretive National Security Letters (NSLs) routinely used by the FBI to request personal information and communications data about targets deemed to be a threat to the nation.

The letters, which have been used by the agency for decades without oversight from the courts, were received in April 2013, August 2013 and June 2015 and outline the vast demands for data by the FBI while legally gagging Yahoo from speaking out.

Over the past few years, snippets of details have emerged about the content of these requests however the move by Yahoo to release the letters marks the first case of a company being able to publicly acknowledge receiving an NSL without engaging in a years-long court battle. Chris Madsen, Yahoo's head of global law enforcement, security and safety, said: "We believe there is value in making these documents available to the public to promote an informed discussion about the legal authorities available to law enforcement."

As a result of the recently enacted USA Freedom Act the FBI is now required to assess if the strict nondisclosure rules surrounding the compel notices remain appropriate every three years – and to lift the request when not. In this instance, the FBI lifted its Yahoo gag order in early May.

The letters, published in a partially redacted format by Yahoo, do not outline the names of the three individuals the FBI was requesting information on, nor the nature of the investigations being carried out – however, they provide crucial insight into how the letters are legally structured and what data is asked for.

This information includes account numbers, IP addresses, postal details, email accounts, billing records, internet screen names, telephone numbers and much more. "We produced the name, address, and length of service for each of the accounts identified in two of the NSLs, and no information in response to the third NSL as the specified account did not exist in our system," Madsen explained.

"Yahoo complied with these three NSLs and, to the extent we had the information requested, we disclosed it as authorized by law [...] each NSL included a nondisclosure provision that prevented Yahoo from previously notifying its users or the public of their existence."

According to the initial FBI request, the firm is "obligated" to provide the data. It also warns: "A disclosure of the fact that the FBI has sought or obtained access to the information sought by this letter may endanger the national security of the United States."

Expansion of NSLs

The use of such compel notices rapidly expanded after the introduction of the US Patriot Act in the aftermath of 9/11 however the exact content remained largely secret until a number of court challenges were made by recipients.

One case involved a former internet service provider (ISP) owner called Nicholas Merrill who fought an 11-year court battle with the FBI to be allowed to talk about his experiences in public. In September last year, a US district judge ruled there was little reason to withhold the content and this resulted in one of the first major disclosures about the letters.

The full scope of the FBI's use of NSLs remains unknown, yet it is believed the agency has issued more than 300,000 over the past 10 years. Meanwhile John Pistole, a former deputy director of the FBI, said in March 2007 the agency was sending out 40,000 to 60,000 NSLs a year.